name: Trivy

on:
  schedule:
    - cron: '0 1 * * *'
  push:

jobs:
  test:
    runs-on: docker

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install system dependencies
        run: |
          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends wget gnupg
          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null
          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list
          apt-get update
          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends trivy

      - name: Run trivy
        run: |
          trivy fs --no-progress --ignore-unfixed --format table --disable-telemetry .

      # Notify if any previous step in this job failed
      - name: Notify on failure
        if: ${{ failure() }}
        env:
          WEBHOOK_URL: ${{ secrets.NODERED_WEBHOOK_URL }}
          REPOSITORY: ${{ forgejo.repository }}
          RUN_NUMBER: ${{ forgejo.run_number }}
          SERVER_URL: ${{ forgejo.server_url }}
        run: |
          curl -X POST \
               -H "Content-Type: application/json" \
               -d "{\"repository\":\"$REPOSITORY\",\"run_number\":\"$RUN_NUMBER\",\"status\":\"failure\",\"url\":\"$SERVER_URL/$REPOSITORY/actions/runs/$RUN_NUMBER\"}" \
               "$WEBHOOK_URL"